Re: [Cfrg] Actual security levels for IETF crypto

Watson Ladd <watsonbladd@gmail.com> Tue, 28 October 2014 23:00 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81D0D1A0687 for <cfrg@ietfa.amsl.com>; Tue, 28 Oct 2014 16:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MeeDB9nnNijs for <cfrg@ietfa.amsl.com>; Tue, 28 Oct 2014 15:59:56 -0700 (PDT)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A0BB1A0410 for <cfrg@irtf.org>; Tue, 28 Oct 2014 15:59:56 -0700 (PDT)
Received: by mail-yk0-f170.google.com with SMTP id 19so792561ykq.15 for <cfrg@irtf.org>; Tue, 28 Oct 2014 15:59:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6ayLOq6KGjU3kz6RJSnxW5Z/rwAP/yPYJBVocR+MoTw=; b=JOjhRjf8kpOIPghy2XHXk7bs83lKiC3H7S5L4Ojg9UxZhagqMr/zVzwganTDDTUtmt F7lUz4Pj12bfL47KYsyZPUj6LbbXoI9x5ob+5jtlZq9tXBwG9Q9ywgBWqvtJiEDW0PS0 klbFY2oLsFczQMMNPQGk7TjjiJXHchNY5kawmDNlZYg/aeORbaCGM2tpsMrpngHcxtAh +EWwb0saXPUysMaLSGikyjEoZu3WJ74SUca3qfw09RZv59AWLnFd0vdUrhYZl3fgWJ3f YAvQzRlfLAjFoPetZ4nv4zNhwXBhBPALt0F9ajPL3zl4UqzPoRstq34UxpoCkrSFwEZP Ip8Q==
MIME-Version: 1.0
X-Received: by 10.170.116.203 with SMTP id i194mr7273471ykb.52.1414537195386; Tue, 28 Oct 2014 15:59:55 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Tue, 28 Oct 2014 15:59:54 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Tue, 28 Oct 2014 15:59:54 -0700 (PDT)
In-Reply-To: <CA+Vbu7wXqB5TY9iJDVsiqw=5kspeUPUS2shTPXSC7kwZchh3+Q@mail.gmail.com>
References: <20141027053452.13077.qmail@cr.yp.to> <544E4832.8030600@cs.tcd.ie> <CACsn0cn_4r67SmR9t+HqBb8YfYXd_r7FPJAxGcue1NRWsf5GBw@mail.gmail.com> <544EE4F1.2070201@cs.tcd.ie> <CAMm+LwiakY0OyxLY4BCwqe8Nq5A-5fQmf_AMCtf8mSNap6S1Bg@mail.gmail.com> <CACsn0cmda=CjaKweFfpD=PxxkKAHKpmHa+y7QCjbD9zCfrZ6yQ@mail.gmail.com> <CA+Vbu7x7s-WCjEBFskDqp9hTxFbLfd2PtNg6JTY8XBLXUU5Frw@mail.gmail.com> <CACsn0cnKPEAoGtYqhL4DKF9CcKWAPRtGNz8SiZ27vRKMDCQu+w@mail.gmail.com> <CA+Vbu7wXqB5TY9iJDVsiqw=5kspeUPUS2shTPXSC7kwZchh3+Q@mail.gmail.com>
Date: Tue, 28 Oct 2014 15:59:54 -0700
Message-ID: <CACsn0cmmX_=3=oyRE=ynBNaROGK=ZY9pY1TpyFoWXHApmY4v5Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Black <b@b3k.us>
Content-Type: multipart/alternative; boundary="001a1137d4c80d803a0506839b59"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/v7xwz3-R8GGAQ5gGfd9clcEWlTY
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Actual security levels for IETF crypto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 23:00:00 -0000

On Oct 28, 2014 3:06 PM, "Benjamin Black" <b@b3k.us> wrote:
>
> On Tue, Oct 28, 2014 at 1:02 PM, Watson Ladd <watsonbladd@gmail.com>
wrote:
>>
>>
>> On Oct 28, 2014 12:10 PM, "Benjamin Black" <b@b3k.us> wrote:
>> >
>> > There is a very long tail effect here. While many individuals might
express performance as a reason for not deploying TLS, sites which
represent the vast majority of HTTP and SMTP user traffic are few and
universally deploy TLS. The performance concerns for such major services
are more about cost reduction: faster curves means fewer servers to handle
a given request rate (where connection setup is the dominant consumer of
resources). There is no option to not deploy TLS because such services can
buy more servers but they can't buy more trust.
>>
>> What's good about spending extra money?
>
> You stated performance was the main concern slowing TLS deployment. That
is only true for small sites who represent a small fraction of TLS
connections. For large players, TLS is a given and performance is useful
for reducing COGS or improving latency (where latency again is interesting
because there is correlation between lower latency and more money).

I want every connection encrypted. To the extent that slow performance
driven by acceptability concerns interferes with this, that's a problem.
I'm already sad that the current best performer in eBATS,  literally
thousands of times faster then RSA of similar security levels,  has been
ruled out.

Performance of ECC is a major reason Cloudflare could turn on TLS for
everyone. If they were stuck with DHE and RSA, it wouldn't have happened.
Let's not limit the scope of discussion to websites taking money.

>
>>
>>
>> >
>> > The amplification problems of DNSSEC are not related to the choice of
cryptography. Regardless of signature algorithm, DNSSEC responses are
significantly larger than requests, making them attractive for
amplification attacks.
>>
>> This is unavoidable,  but RSA makes it worse.
>
> Glad we agree. It is unavoidable, not caused by algorithm choice.

It's made worse by algorithm choice, and some misfeatures like domain
suicide are directly caused by the barely adequate strength of RSA 1024,
and consequent workarounds.

>
>>
>> >
>> > DNSSEC did not use EC originally because 15+ years ago when it was
designed EC was still young and the patent situation made such a move
infeasible. RSA was prevalent, unencumbered, and implementations were fast.
EC was specified for DNSSEC only within the last 5 years, yesterday in DNS
deployment time, and for much of that time patent concerns persisted,
further retarding adoption.
>> >
>>
>> ECC was invented in 1986. Unlike RSA, the algorithm was not patented by
its inventors. All of the patents were on implementation techniques, and
none were required to implement. Picking RSA hasn't measurably speed DNSSEC
adoption.
>
> You are well aware the history of ECC for widespread industrial use
starts with SECG, which formed in 1998 and published SEC1 1.0 in 2000. RSA
was chosen at the time because it was the best available option. The speed
of adoption is unrelated to the algorithm choice in DNSSEC, except that
mandating ECC in 1999 (or 2004) would've precluded most deployment.
>
> Are you seriously now arguing that patents on implementation techniques
are no big deal and people should just work around them? I recall the
opposite position being vigorously argued in the recent past.

By me? Which patent would that have been? Actually I'm arguing that ECC
patent concerns were massively overblown, and that speed gains over RSA
were attainable even without taking advantage of the specialness of the
prime. But that's really far from the choice we face now.

>>
>> Furthermore,  if the cryptography was fast enough to apply to every
packet, the design would look considerably different. As a result of slow
signing, we got fast offline zone walking.
>
> No idea what point you're making. You seem to be simultaneously
suggesting that current DNSSEC key sizes are somehow relevant and that
DNSSEC itself is garbage, a case study in how not to do it, and would be
far better if only they'd applied knowledge from 15 years in the future.

No: I'm arguing that the choice of RSA signing had implications for the
design of DNSSEC that were negative,  in part because of RSA key sizes and
speed, and that users of DNSSEC are constrained by performance and other
problems rather then going for the most secure option. It's a case study in
slow crypto forcing bad design choices.

>>
>> >
>> > "NIST P-256 is in the DNSSEC spec, and does fit in 500 bytes."
>> >
>> > ECDSA, and with it P256, was not specified for DNSSEC until 2012, in
RFC6605. RFC4034, which updates the original DNSSEC specification, includes
an ECC code point for signatures, but does not offer anything more and this
code point was not used for either P256 or P384 based signatures.
>> >
>
> ...
>
>>
>> This is a reason for using the same single measurement framework for all
benchmarks. I could easily imagine a systematic 10% measurement error
caused by differing overheads when measuring the same code.
>>
>> I don't think the claims are false. I think it's hard to compare
measurements made different ways on different machines, which is why Mike
Hamburg email above is as good as it gets, and with relatively little
effort we could have much better data.
>>
>> But if we accept the numbers above, what does that say about NUMS vs.
Other? It looks to me that for minor changes in security level or
performance,  major gains in the other variable are possible.
>
> Trustworthiness of the curves are also a consideration, though obviously
one not as easily measured as performance. That it is hard to measure or
not a serious concern for you does not invalidate its importance to many.

In what way is 25519 less trustworthy them the Microsoft proposal?
Performance is also very demanding and imposes rigidity. How much
performance are you willing to give up for a little trust, which can't be
easily measured, and might point the other way in the case of E-521 with 3
independent discoveries?

Curve choice matters less then point format and signature issues where we
are also disappointingly far from agreement. Or maybe we are close enough
that no one bothered to respond beyond Andy Lutomirski because the answers
were obvious.

>
>
> b